Prevent bypassing captive portal?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Prevent bypassing captive portal?

L3 Networker

We are in an environment where we have captive portal (with MS SSO) but users are able to get around the authentication redirects via VPN.

 

We'd like to ensure that the only traffic that is allowed by unauthenticated users on this network is traffic that is redirected to captive portal and cannot be bypassed.

 

Would we just be looking at placing 2 rules higher up

 

1 - Desired network + unknown user + web-browsing = allowed

2 - Desired network + unknown user + all = block

?

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Not sure on the answer, however the captive portal is used for User-ID to IP mapping. If the PAN already knows the mapping, it will not prompt the user for a captive portal. 

 

I used to have an environment where I used USER-ID on all my policies, and if the users didnt have a mapping, they got a very restrictive URL filtering policy applied to them. This was done by security policies however.

 

Hope this helps.

Thanks, I do know that and it's only being applied to unknown users.  They do currently hit a restrictive URL policy as well when unknown, but this does not stop them from being able to bypass captive portal as that only applies to HTTP(S). Going to give the 2 rules a try to ensure only HTTP is allowed until the user is known, which should be enough to ensure only captive portal can trigger without other traffic.

Cyber Elite
Cyber Elite

Hello,

You could put in another policy that blocks traffic not related to http(s) and DNS since its required for those unknown users.

 

Just a thought.

  • 162 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!